Dynadot refusing to unlock account, what are my options? ...

[tripflex]

Going to try and keep this short and sweet. I started a hosting company back in 2009, was just me and eventually grew in size. I ended up having to start hiring people and one of them that was with us for a short while I had setup an account with Dynadot to start catching auction domains.

Long story short, he left the company a month or so later, and now about 2 years later I go into the account to try and transfer one of the domains, and am unable to unlock the account.

Dynadot required birthday to unlock and if you don't have that you need the security question. I don't have the guys birthday and every attempt to contact him has failed.

Few things to note:

• All domains under account were purchase with MY business credit card with MY name on it
• The email on the account has been setup to forward to my email
• The address on the account is my company address
• The phone number on the account is company phone number

Contacted Dynadot multiple times and they basically refuse to unlock the account unless I get them a photo ID showing his name or provide the security question answer. I've asked them to just review the invoices and they will see it's my name on the credit card, asked to verify via sending a letter to address, or even call to verify, but they refuse to do any of that to verify the account.

So now i'm left with what options I have available to handle this. My first thought was just to get a lawyer involved, but that could end up costing a good chunk of change and I want to try and keep the cost down as much as possible.

The only other option I could think of was to let the domains expire and try and catch them in the Dyandot auction, or if the price ends up going crazy out of control in the auction, just renew the domain.

Does anybody have any suggestions or thoughts regarding this? I've exhausted every option I can think of to prove to them it's my account but have not gotten anywhere.

If I do let the domains go into auction and expire, say I end up not catching one of them because someone snipes the bidding and gets it .... technically I could still renew it, right? As long as it's within redemption period?

Thanks guys!!

 

[DU]

That is not true. And Dynadot knows it, and by saying and doing this they put their ICANN accreditation at risk by breaking ICANN domain transfer rules - as well as annoying and inconveniencing account holders and domain registrants.

It is technically accurate to say the account lock prevents you unlocking domains or generating authcodes from within the account, or changing account holder details. But you can still change registrant names and details if you want in the locked account, in fact Dynadot accounts are set up to hold multiple registrant profiles so one account may serve many registrants.

In a nutshell, ICANN sees the registrant as the owner and gives them a clear right to transfer the domain, regardless of whose account it is in - they can just directly tell Dynadot to transfer it to them, and then Dynadot has to unlock the domain and provide the authcode directly to them.
https://www.icann.org/resources/pages/transfer-policy-2015-09-24-en

Using your logic:
If someone happens to get access to your account and changes the registrant to their email address then they own the domain and have clear right to transfer the domain no questions asked. Furthermore, if someone gets access to JUST your email account then they should be able to transfer the domain wherever they want because in your world an email is the sole key needed to garner ownership. Simply login and request an auth and transfer away. Thieves don't even need to have account access and ICANN will revoke you accreditation if you don't allow them to do that!

In your world. Theft is easy. Why even bother with passwords or accounts.. just handle everything via email.

A better interpretation of what @Dynadot said was that someone that couldn't pass a basic authentication challenge will not be allowed to transfer the domain. No where did they say they would refuse to transfer the name if you provided information validating your account. If you set up your account with valid information (i.e. not made up persona ) you should be able to manage this. This is no different than any registrar.. Can you imagine the following being ok?
"Hey GoDaddy/Name/Enom etc...,

I've like totally forgotten my login and password but I know my domain is there.. can you just give me access? Please? I can totally prove who I am by sending you my name written on a sheet of paper in ink...but this email is from the registrant email that I never hacked, it's so really mine, so it should be cool. Actually, don't bother giving me access because I just want to transfer the name anyway so give me the auth code and unlock it, mmkay?"

Your link states much of what must be done but it also has as a valid reason for denial:

3.7.2 Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact.

I believe that the fact you don't know your account details would be considered reasonable dispute by many who care about domain theft.

As far as country without a photo id.Your link has alternative that might work. Note that many of these are photo id and some (such as (A) will often require one to get the statement - or two alternatives can be usedin the US ). I don't know what Dynadot's position on these are but I've not setup a question and answer that I've forgotten.

(a) Notarized statement
(b) Valid Drivers license
(c) Passport
(d) Article of Incorporation
(e) Military ID
(f) State/Government issued ID
(g) Birth Certificate

If you talk to them maybe something can be worked out.

If you live in a field in Shropshire without internet or housing high on acid? Then you're probably sol.

 

[carob]

If someone happens to get access to your account and changes the registrant to their email address then they own the domain and have clear right to transfer the domain no questions asked.

Yes that is true as defined by ICANN and would have recovered the OP's domain for him, solving the problem that started this thread. It has worked for others. Dynadot have no choice - the alternative is a complaint to ICANN and loss of ICANN accreditation.

The key texts from ICANN you need to quote to Dynadot to recover your domain are:

https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en

5.2 Registrars must provide the Registered Name Holder with the unique "AuthInfo" code and remove the "ClientTransferProhibited" within five (5) calendar days of the Registered Name Holder's initial request if the Registrar does not provide facilities for the Registered Name Holder to generate and manage their own unique "AuthInfo" code and to remove the "ClientTransferProhibited" status

1.1 Transfer Authorities

The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible Whois service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar. In the event of a dispute, the Registered Name Holder's authority supersedes that of the Administrative Contact.

The domain owner is the registrant, not the account holder. Registrant asserting their rights directly with registrar results in transfer with no involvement of account holder.

 

[DU]

5.2 Registrars must provide the Registered Name Holder with the unique "AuthInfo" code and remove the "ClientTransferProhibited" within five (5) calendar days of the Registered Name Holder's initial request if the Registrar does not provide facilities for the Registered Name Holder to generate and manage their own unique "AuthInfo" code and to remove the "ClientTransferProhibited" status

Technically they aren't violating the above. See red.

Also read not allowed for refusal:

"3.9.3 Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request."

I would suggest that allowing access to the lock/auth code by validating you are the person who put the domain into their custody is within the bounds of reasonable. Asking you to log in and know your birth month/day or answer to a question you created is not unreasonable. All registrars ask you for some validation at the account level - via a PIN or similar. I would expect a custodian of my data to care about the custody of it.

So @carob - we will have to disagree.

I would firmly suggest that no-one use any registrar that would allow someone to transfer a domain away without requiring any form of authentication beyond an email. It's as simple as that for me.

 

[carob]

Technically they aren't violating the above. See red.

Also read not allowed for refusal:

"3.9.3 Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request."

I would suggest that allowing access to the lock/auth code by validating you are the person who put the domain into their custody is within the bounds of reasonable. Asking you to log in and know your birth month/day or answer to a question you created is not unreasonable. All registrars ask you for some validation at the account level - via a PIN or similar. I would expect a custodian of my data to care about the custody of it.

So @carob - we will have to disagree.

I would firmly suggest that no-one use any registrar that would allow someone to transfer a domain away without requiring any form of authentication beyond an email. It's as simple as that for me.

I'm not sure you read my post fully. This method of a registrant getting a domain out of Dynadot without access to the account is not hypothetical - it already works in real life - they have no choice.

I'm guessing your comment is about your own domain names where you are both registrant and account holder. But Dynadot's own system allows for multiple registrants in one account, so registrant and account holder can be different parties, which was the OP's problem. If a developer passed away leaving a client's domain in their account it would be natural for the client to need to recover the domain without access to the account. There simply is no opportunity for them to unlock the domain from within the account.

 

[DU]

duplicate

 

[DU]

I'm not sure you read my post fully. This method of a registrant getting a domain out of Dynadot without access to the account is not hypothetical - it already works in real life - they have no choice.

I'm guessing your comment is about your own domain names where you are both registrant and account holder. But Dynadot's own system allows for multiple registrants in one account, so registrant and account holder can be different parties, which was the OP's problem. If a developer passed away leaving a client's domain in their account it would be natural for the client to need to recover the domain without access to the account. There simply is no opportunity for them to unlock the domain from within the account.

That is indeed a different scenario but it's no different than it would be with any registrar and doesn't change much, if anything.

In my opinion - someone holding the name for someone else on an ad-hoc basis is always going to be a problem and the correct approach is to prevent the problem not criticize the difficulty getting out of it once it arises. You are right.. the registrant is the official owner; however, the registrar needs to ensure the name isn't transferred fraudulently.

In the case of the OP. He had a technical resource set it up who left ....

He CALLED Dynadot and explained... they reset his account ... so there is due diligence and not no flexibility.

If they had proper documentation (they had enough) or decent procedures it wouldn't have happened in the first place and they admitted as much. He also acknowledged he didn't want to pay legal fees.
He still got his control back....
The OPs scenario was an example of corporate control failure.

Take the example of a web company registering and holding the name of one of its clients as you have above. There are two ways this could be handled -

1. Client holds the name and makes necessary updates to nameservers etc to facilitate usage. Client retains full control.
   
   
2. Stewardship of the name is handed to the web company via enforceable contract. That legal document would be enough to enable Dynadot or any registrar to turnover the name. It could be court ordered.

Either way - the issue is a very very small percentage of cases and being blunt - I would suggest that all instances of issues are due to some level of negligence on the part of the registrant/account holder.

So we can continue to disagree because I don't believe that Dynadot has a full no recourse lock-out policy and that's what people are suggesting. There's a vast difference between being annoying/painful when you need something easy... versus operating in violation of accreditation. That is something else entirely.

 

[DNGear]

Just a small idea.

Open another account in dynadot with your full details and send an offer(10 usd) to your domains.
You accept that offer from your old account.
(IP Address should be different).

 

[DU]

Just a small idea.

Open another account in dynadot with your full details and send an offer(10 usd) to your domains.
You accept that offer from your old account.
(IP Address should be different).

I think you need the unlock to be able to list the domain if I recall

 

[DNGear]

I think you need the unlock to be able to list the domain if I recall

Yes its true.
It works, if it was listed already for sale.

 

[GoKaizen]

Never had an issue with Dyandot but I can see how the frustrating the situation is for the OP.

 

[CloudTech]

Hope I could see this post 2 years ago.

 

[DomainVP]

I'm in the future!
The same thing is happening to me here in 2022.

Dynadot is trash. No other registrar wants my birthday and ID to get an auth code.
There is no resolution with Dynadot.... Choose Epik.

That is all...

 

[forge]

Same thing has happened to me today. I will lose the two domains they now hold hostage, so be it.

Do not register domains with this company. Avoid Dynadot, do not give them any business.

I'd like to update this post, mainly to clarify that my response to my situation at that time may have been a little(?) rash.

I do still have a fair number of domains registered with Dynadot, and my experience with them, after this "rough patch", has been good and trouble free.

 

[Name Trader]

PM'd you, @DmainVP

 

[forge]

PM'd you.

You? Who?

Disregard?

 

[Name Trader]

You? Who?

Disregard?

Clarified above